Magic (Ransomware)
This article is about the ransomware. For the DOS virus, see Magic. Magic is an encryption ransomware Trojan that runs on Microsoft Windows. Magic is based on HiddenTear, an open source ransomware platform that has been responsible for countless other encryption ransomware Trojans since it was first released in August 2015. The Magic Ransomware attack is mainly designed to attack computer users in Italy and includes a ransom note written in Italian (although there is nothing preventing The Magic Ransomware from being distributed outside of this region). Payload Transmission Magic is delivered to victims through the use of corrupted PDF or DOCX files with operational macro scripts that download and install The Magic Ransomware when the file is opened. These files are attached to spam email messages that use social engineering techniques to trick inexperienced computer users into opening the file attachment. Infection Magic uses a combination of AES and RSA encryption to make the victim's files completely inaccessible. Magic targets the user-generated files while avoiding Windows system files or other files that would prevent the victim's computer from functioning. Magic aim is to take the victim's files hostage, but it allows the system to remain functional so that a ransom note can be displayed. Magic will target a wide variety of file types in its attack, including files with the following extensions: .3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2. The files encrypted by the Magic Ransomware attack are easy to identify because The Magic Ransomware will add the file extension '.locked' to the file's name. After encrypting the victim's files, The Magic Ransomware delivers a ransom note in the form of a text file using the name 'READ_IT.txt' that is dropped on the infected computer's desktop after it finishes encrypting the victim's files. The text of this ransom note is in Italian. The Magic Ransomware's ransom note, translated into English, reads as follows: This computer has been hacked Your personal data have been encrypted. They will be irreparable untill you pay the ransom ... It is useless to try to decrypt them... Only I can do it now, follow these steps to retrieve your files: 1 Go to https://localbitcoins.com/ 2 Search for a bitcoin seller 3 pay to address CHARCTERS the amount of 100 euro if you do not know what bitcoin is: https://www.focusjunior.it/tecnologia/bitcoin-cosa-sono-e-come-funzionano or look at this xxxxs: www.youtube.com/watch?v=g72aeVoOGLg As soon as you make the payment you will receive the key to decrypt the data and retrieve the data ... all data will be destroyed forever within 48 hours Good luck THE MAGIC :)' Magic will change the infected computer's desktop into a black image with the text 'YOU'VE BEEN HACKED!' in bright green letters. Magic will run as 'fattura.exe' on the infected computer, which may be an attempt to disguise the nature of its attack. Category:Ransomware Category:Win32 ransomware Category:Win32 Category:Microsoft Windows Category:Trojan Category:Win32 trojan